IETF Logo Mail Archive

Re: RA extension review requested for draft-wkumari-dhc-capport

Mark ZZZ Smith <markzzzsmith@yahoo.com.au> Wed, 18 March 2015 04:28 UTC

Return-Path: <markzzzsmith@yahoo.com.au>
X-Original-To: ipv6@ietfa.amsl.com
Delivered-To: ipv6@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id F13C01A8A6E for <ipv6@ietfa.amsl.com>; Tue, 17 Mar 2015 21:28:47 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -0.499
X-Spam-Level:
X-Spam-Status: No, score=-0.499 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, FREEMAIL_FROM=0.001, FROM_LOCAL_NOVOWEL=0.5, HK_RANDOM_ENVFROM=0.001, HK_RANDOM_REPLYTO=0.999, RCVD_IN_DNSWL_NONE=-0.0001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 7-rUNefO-wKV for <ipv6@ietfa.amsl.com>; Tue, 17 Mar 2015 21:28:45 -0700 (PDT)
Received: from nm5-vm0.bullet.mail.bf1.yahoo.com (nm5-vm0.bullet.mail.bf1.yahoo.com [98.139.213.150]) (using TLSv1 with cipher ECDHE-RSA-RC4-SHA (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 34E371A8A6B for <ipv6@ietf.org>; Tue, 17 Mar 2015 21:28:45 -0700 (PDT)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=yahoo.com.au; s=s2048; t=1426652924; bh=MYbmxtVV5LAQBAZEU9LQGoA4JGWn2SoaVRj884tUcII=; h=Date:From:Reply-To:To:Cc:In-Reply-To:References:Subject:From:Subject; b=sFVr7c7i1DUmxvDVzwhN2pnt7gd6KS9uTjZih8owdNlASOOPuThK1I+AF0tsf+XU8bmhC0+YhsJTiFK57LYIhgdHW+8np6HfxqhKfmgYjK2xEXLPsBUeBNDEPARbz+bZNiMicGKfnuHFSBYg0+zE00MXosOjwJguHsAwbUHgiuInp3obsGZ54MV00/SDvVt1AdFeZLJc3mBjYZ8J1AsU23RapNvuR+jVxVkJgeLVtO3ndDKS11plN4KyvwYfd5D3cdRLSQTR/SXb0/2sXAyIoP1xbVwI6xUxSHyv0PheV9SsK2WNIj8zjvlUAAkZDyL/AXFeMEB+nm0EHzLxHq2mlg==
Received: from [66.196.81.170] by nm5.bullet.mail.bf1.yahoo.com with NNFMP; 18 Mar 2015 04:28:44 -0000
Received: from [98.139.212.218] by tm16.bullet.mail.bf1.yahoo.com with NNFMP; 18 Mar 2015 04:28:44 -0000
Received: from [127.0.0.1] by omp1027.mail.bf1.yahoo.com with NNFMP; 18 Mar 2015 04:28:44 -0000
X-Yahoo-Newman-Property: ymail-3
X-Yahoo-Newman-Id: 213570.21287.bm@omp1027.mail.bf1.yahoo.com
X-YMail-OSG: etg6jowVM1nJFCvruI1cffXfuoHCF3CbcTuRZ1RdEEFB.Q.40p9E3Z8vIvVy6uY yFe_.7hzV.LLGuyobxEesy35ZeA2T.32AvylyHpuKy.MMPFExRbh7KO1S9mLxnKw_n9Bkl70P.M6 L79m7qRgsp3H8GL7fJJzIdXBALb1XN0_e331Tf6RFebshpQ2Md9idLYc_Iw00lieE.hJGqvAtayq d_Cswy3MBEI1vG7rNby4vmvDDesnZ40uSmhn9Rbi3lkQCx8WWq_7ako5K.08TFwI49VvEJ9WvP4J m.BU_yssjjEUBL1tfhi4rnfIKtYudD3EbwwpOo5D5zo2GLEVKfn5W0EhndDq1699phSsqQywqsKL 2em1zoWbHYhIuSEFMDsnurwcDNy6I_5cZ_3I5CA1IKrUHhl1DK08Eml1GptIjmwwHCRUaLjatWz8 WGA_R8sm.Y.zFasP1mhpsMelbqiH3FoDJ_H4QRsgndbsbJ2jOOhIuF2GN4Qt3QYTnubZvUtRD0mg qxCw.XcIA6i8Dg2ac3lmdnhvIprxPSndH5rDnUK_A2kgBbkc9
Received: by 66.196.80.113; Wed, 18 Mar 2015 04:28:43 +0000
Date: Wed, 18 Mar 2015 04:28:18 +0000
From: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
To: Ted Lemon <Ted.Lemon@nominum.com>
Message-ID: <1751294823.356532.1426652898444.JavaMail.yahoo@mail.yahoo.com>
In-Reply-To: <6940B745-20F0-4DA2-A45E-DB55AAB1004E@nominum.com>
References: <6940B745-20F0-4DA2-A45E-DB55AAB1004E@nominum.com>
Subject: Re: RA extension review requested for draft-wkumari-dhc-capport
MIME-Version: 1.0
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: 7bit
Archived-At: <http://mailarchive.ietf.org/arch/msg/ipv6/6MtLwtpPIVSD3Tp_I0-mdG11os8>
Cc: IPv6 List <ipv6@ietf.org>, Bob Hinden <bob.hinden@gmail.com>
X-BeenThere: ipv6@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
Reply-To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
List-Id: "IPv6 Maintenance Working Group \(6man\)" <ipv6.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/ipv6>, <mailto:ipv6-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/ipv6/>
List-Post: <mailto:ipv6@ietf.org>
List-Help: <mailto:ipv6-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/ipv6>, <mailto:ipv6-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 18 Mar 2015 04:28:48 -0000

Hi Ted,


----- Original Message -----
From: Ted Lemon <Ted.Lemon@nominum.com>
To: Mark ZZZ Smith <markzzzsmith@yahoo.com.au>
Cc: Bob Hinden <bob.hinden@gmail.com>; IPv6 List <ipv6@ietf.org>
Sent: Tuesday, 17 March 2015, 12:51
Subject: Re: RA extension review requested for draft-wkumari-dhc-capport

On Mar 16, 2015, at 8:41 PM, Mark ZZZ Smith <markzzzsmith@yahoo.com.au> wrote:
> I raised the same issue with multiple interfaces in my doc shepherd review, and the new version addresses that point; I'd be curious to know if you have additional text to suggest, or if you are satisfied with the changes.
> 
> 
> / That wasn't obvious to me, and I find that the abstract and introduction, which set the context for the rest of the document, implied to me that the device was single homed by using the term "behind" (I'd even interpret that a multihomed device being described as "behind" a captive portal means that all of its interfaces are downstream of the captive portal).

Can you suggest a clarification that makes sense to you?


/ I think it is more structural than just a clarification, meaning that the topic of multihomed/multi-interface hosts needs to be specifically dealt with. Think smartphones to make the problem less abstract, as at least here in Australia, they've recently become the most commonly used Internet access device.

> 
>> o the protocol being used for the reachability status and Captive Portal is HTTP (hence supplying a URI)
> 
> URIs are not http-only, although I tend to agree that http is the likely transport.
> 
> / My first concern was that encoding URIs in RAs means that this option could be pretty large.

OK.   The RA I'm getting from Comcast at the moment is 96 bytes, so I think there's enough headroom to accommodate a short captive portal URI.   Maybe you could explain how this is going to be a problem in practice?

   Remember that we're talking specifically about the captive portal use case, so it's not the case that this is going to be a network with a large number of prefixes or that is going to offer a long domain name search list.


/ So if we assume this is the first of likely to be many RA options that are encoding application level parameters 
(arguably it would be the second, because DNS IP addresses too are greater than layer 3 parameters), then many RA options with possible large payloads could be a problem. 

/ It seems there is confusion between what is supposed to into RAs and what is supposed to go into DHCPv6 options, and the way people are addressing this confusion is to try to put it in both. In this scenario, if the local router is supposed to provide the captive portal URI, then I would think it should be being provided by a local state or stateless DHCPv6 server on the router.


> / I'm also of the view that RAs should only contain subnet specific network layer configuration information, as I described in section 2, "Internet Transparency and Application Configuration" of "IPv6 CE Device DHCPv6 Option Transparency" (https://tools.ietf.org/html/draft-smith-v6ops-ce-dhcpv6-transparency-00#section-2). I think describing a limited network reachability prefix via RA options to a host, and then letting the host decide what to do with that information is consistent with using RAs to describe subnet specific network layer configuration information.
> 
> / More basically, I think encoding application or application class parameters in RAs is a layer violation.
> / I think DHCPv6 is a better place for larger options that are application specific or application-class specific (i.e., layer 4+ options), such as URIs.

I don't think you are making a meaningful distinction.   Both DHCP and ND are layer 7 protocols, and ND provides configuration information such as DNS server IP addresses and domain name search lists, to which your objection would also apply.

/ I don't agree that ND is a layer 7 protocol, as it's reachability is limited to a single link. It cannot traverse multiple links, and therefore isn't end-to-end. DHCP can be made to traverse multiple links via DHCP relays that are DHCP option transparent, so DHCP is close to an end-to-end layer 7 protocol.

/ At the risk of telling you about something you already know about, I think that the most valuable property of the Internet architecture is that the network is application transparent or agnostic. The network doesn't (or shouldn't) create barriers to deploying new applications. Applications are deployed on the end-points only, "on" or "over" the network, but not "in" the network. The network, or specifically, the routers, don't need to be upgraded to support new applications because they're oblivious to them, as they just forward packets regardless of the packets' payloads (with encryption of packet payloads forcing this transparency model).

/ To operate applications, you usually need to configure them. Manual per-host configuration is not scalable, hence application configuration automation via protocols such as DHCPv6.

/ If your network isn't automated application configuration protocol transparent, then it also isn't application transparent. The network stops you from easily configuring the application and therefore stops you from being able to easily operate the application (unless you resort to per-host manual configuration). In other words, I think the property of "application transparency" needs to include and imply automated application configuration transparency.

/ To deploy new RA options requires upgrading the routers that are to issue them. If RA options are used to convey application configuration parameters, then router upgrades are required to deploy new applications. The network is not "application transparent" any more because it isn't application configuration transparent in its current state. Successfully deploying new applications is tightly coupled to the RA options the local router implementation supports.

/ That is why I think the DNS server and domain name search RA options you mentioned are a mistake, and should not be used as an example of what are acceptable in RAs. They encourage a model of a host's ability of being able to run applications being coupled to and constrained by what options the upstream router supports in it's RAs, unless we accept pre-1980s practices (i.e., pre-Appleltalk, Novel Netware etc.) of per-host manual application configuration. 

   So we are not treading new ground here, as far as I can tell.   And the information being provided is specific to the link to which the host is attached.



/ However it also means that it wouldn't be possible to direct different clients to different captive portals based on individual client attributes. I'd think that would be a useful and probably an important capability for this sort of scenario (actually I pretty much know it is - one of the purposes of the captive portal I've put in place in the past was to suspend service to customer who's bill was overdue - presenting a client specific "pay now" button is far more user friendly that making them login via a generic web page).

>> o that the receiving device provides a quite capable interactive user interface where text/numbers can be entered (e.g., computer screen/a web browser). 

> 
> I think the answer here is that the receiving device will likely only be able to authenticate to the captive portal if it has a UI or else if some new mechanism is provided that supports automatic authentication.   However, the target for this particular document is devices with user interfaces, not IoT devices, so I think within that realm we are okay.   Perhaps the document should be clearer on this point.
> 
> I think that the amount of work that would be required to define a mechanism for automatic authentication is really substantial, and would have limited value: we don't even know if captive portal folks will implement this very simple mechanism.   So I think that should be out of scope for this document.   The presence of the URI option already indicates that a captive portal is present, so IoT devices that recognize this option can avoid using the captive interface.
> 
> / It seems to me that solutions to problems should be made as general as possible. In this case, I think there are really two problems (a) indicating to a device that one of its interfaces has limited reachability (which may be its only external interface) and (b) indicating to the device operator that their is limited reachability and possibly providing methods of resolving that if desired. They seem to me to be separate problems that are occurring at different layers in the stack.

I think that if you want to propose a solution to the larger problem, that's great, but you haven't proposed a competing solution. 

/ I think I did in my first response. Use RAs to convey nothing more than limited reachability information (which probably falls under the domain of the MIF WG, and they may have already solved it), and is an attribute that would be common to all hosts receiving the RA, and may be specific to the individual router issuing the RA.

/ Make the way that information is presented to the device user up to the device implementation, best suited to the device's user interface capabilities (which may include an external log 'user interface'). Provide hints or parameters for certain UI applications via DHCPv6, such as the URI, overriding a default value or if a default value is not possible. These could be client specific if necessary or useful, matching on DUIDs or other DHCPv6 client supplied option values.


 The problem this document addresses causes serious operational issues that have nothing to do with, e.g., IoT devices.   E.g., my mom is in a nursing home undergoing rehab for a knee operation right now, and every time she has to authenticate to their captive portal, she has to click through several warnings in her browser because the captive portal has to lie to capture her browser.   This proposal eliminates that problem.   This is a big deal.

/ My motivation for writing the above draft was exactly user friendliness. I don't expect your or my mother to have to upgrade a router to be able to have automated configuration of a new application work so that they can run a new application. I've worked at residential ISPs where CPE were BYO, and there is next to no chance of router firmware being upgraded happening when getting customers to both pick good and be able to change service authentication passwords successfully is basically impossible.

/ We need to avoid as much as possible any changes to protocols that require router upgrades, like new RA options, because router upgrades are relatively hard compared to per-host incremental upgrades, usually disruptive to many hosts, and for a portion of their "operators", basically impossible.

/ DHCPv6 options are better because a router operating as a DHCPv6 relay is DHCPv6 option transparent. New DHCPv6 options can be deployed without having to upgrade routers, unless the router itself is also operating as (a host operating as) a DHCPv6 server.

So while you certainly have a point that there is a larger problem to solve here, given that no proposal to solve it has, as yet, surfaced, I don't think you've actually given a reason why we shouldn't proceed with address the more restricted use case that we actually can address.

/ My fundamental concern here is really about the use of RAs to convey any more than link specific IPv6 layer 3 parameters. IPv6 has given us back the possibility of network application transparency that IPv4 NAT took away. I don't want to see that application transparency taken away again by using RAs to configure applications, because of how tightly it couples application configuration to local router capabilities. That is what I think DHCPv6 is for.


So the main action item I'm taking away from this review, with respect specifically to Warren's document, is that we should tweak the abstract to be more clear.   If you have text to suggest that would be great.   Otherwise I'll confer with Warren and see if we can come up with something.   Thanks very much for the thorough review!

/ The above probably doesn't provide what you're after, however I hope it provides some food for thought. 

Regards,
Mark.

v2.23.0 | Report a Bug | By Email